19 August 2012

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level02 is similar to Level01 in that it you don't need to know about C++ as much as you need to understand what is going on at the command line. You can see from the level02 code that it executes /bin/echo which prints the $USER variable. So, let's change the $USER variable to execute our getflag command.

There are 3 different ways to chain linux command together. I chose to use the ampersand (&).

18 August 2012

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

With level01 you don't need to know about programing in C++ as much as you do about how Linux calls binary commands. So, read the blurb over at Wikipedia about the $PATH variable. The whole point in how the $PATH variable effects Linux/Unix systems is that when a command needs to be executed; Linux/Unix needs to find where it is and the $PATH variable specifies where to look.

So, skimming through the source code shown on Nebula level01, you'll see that the program runs the echo command which prints out "and what now?". But remember what you read at Wikipedia about the $PATH variable? The only way to deliberately execute a command in a specific location is to use (./) . Therefore, as you can see by the source code, the echo command isn't being deliberately executed. It is being found using the $PATH variable and executed at the first instance it is located. What if there was another echo command somewhere else that we could point the $PATH variable too? Perhaps an echo command that we created...that ran the getflag binary for us :)

To do this, we create a symbolic link from the command echo (that we created) to the target binary: 'getflag'.

First, make sure we are in /home/flag01

$ cd ~

Now, create soft simlink

$ ln -s /bin/getflag echo

Then export the $PATH to update it.

export PATH=/home/level01:$PATH

Make sure it worked

echo $PATH

Finally, run flag01

$ /home/flag01/flag01
You have successfully executed getflag on a target account

27 April 2012

The Dream

Not long ago I was doing some research on the topic of brute forcing passwords. I was considering setting up a GPU farm to host a password cracking service. Basically, people would submit password hashes and I would crack them. For a price obviously. I envisioned making millions and getting government contracts.

Unfortunately I didn't get past the research and planning phase.

The Reality

Turns out that cracking a password takes forever, as in, longer than 10 minutes - and that makes it a poor business venture. With the assistance of the fine gentleman over at Cryptohaze.com, I did some number crunching:

I wanted to crack NTLM (Windows).
I wanted to crack a full character space password - meaning all ASCII characters - which totals 95.
I wanted to crack a password that was at least 14 characters long.

Using Google Calculator I get: 95^14 = 4.87674979 × 1027 password combinations. If you attended 8th grade you should know that that is an enormous number.

"Alright fine." I thought. "I'll just get a ton of GPUs to assist me with the cracking."

An Nvidia 580 card can crack ~2B NTLM passwords / sec. What if I had 1024 cards cracking all at once?

Google Calculator tells me: (95^14) / (2,000,000,000 * 1024) = 2.38122548 × 1015 = 75,508,164.8 years.
Yea, that is right about when my dream of striking it rich went out the window.

The Misconception?

Everybody knows that brute forcing passwords takes a long time, so you are probably wondering why I titled this article The Brute Force Misconception. Here's why: in the last year or so password cracking has made huge leaps and bounds in terms of cracking speed. This can all be credited to the CUDA programming language allowing access to the massively paralleled Nvidia GPU. People have written programs that exponentially reduce the amount of time it takes to crack a password. However, even a 10 character password would take nearly a year to crack. Doh! Well, 1 year is less than 10,000, but still 1 year is a long time.

Granted, an 8 character password takes about a minute (with 1024 Nvidia 580's). However, 10 character passwords are becoming more and more common. AND who has a 1024 GPU farm setup?

You'll be dead and gone before your password is spit out in clear text.

Extra Notes

- Use LastPass - it's awesome.
- Check out Cryptohaze.com - it is an incredible GPU password cracker (with networking capabilities).
- Check out AtlasFolding.com if you are thinking of putting together a small GPU farm.